Re: Parsing long PowerShell sessions

henryyam · ‎05-22-2019

How is everyone parsing these powershell transcriptions when a person leaves the shell open for multiple days?
In that case it shows the user who executed once, but there can be a hundred command starts spanning multiple days.

Is the consensus to capture this still as one event? Or do you have logic that breaks those into multiple events?

I have some transcripts files 30+MB in size.

Command start time: 20190522100828

PS>CommandInvocation(Get-ProvTask): "Get-ProvTask"

ParameterBinding(Get-ProvTask): name="AdminAddress"; value="google.com:80"
ParameterBinding(Get-ProvTask): name="MaxRecordCount"; value="2147483647"

Command start time: 20190522100830

PS>CommandInvocation(Get-BrokerCatalog): "Get-BrokerCatalog"
ParameterBinding(Get-BrokerCatalog): name="AdminAddress"; value="yahoo.com:80"
ParameterBinding(Get-BrokerCatalog): name="MaxRecordCount"; value="2147483647"
ParameterBinding(Get-BrokerCatalog): name="Property"; value="Uid, Name, MetadataMap, ProvisioningSchemeId, Scopes"

henryyam · ‎05-29-2019

I believe we can potentially link all these events based on the fact that they generate from the same source file.
I could probably go back and look up the original user. It just seems to be a cumbersome process.

richgalloway · ‎05-22-2019

Converted from answer to a new question.

---
If this reply helps you, Karma would be appreciated.

Parsing long PowerShell sessions

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Parsing long PowerShell sessions

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk